diff options
| author | 2023-04-17 09:29:45 +0000 | |
|---|---|---|
| committer | 2023-04-17 09:29:45 +0000 | |
| commit | 89bb4db1d83f7fd4e1de8a599de3dccb3c6bb704 (patch) | |
| tree | e7e39ea2ba03ae81d22c88f00904da83c38e23e0 | |
| parent | 0a5094e8e2a73c0140f0dcd619fb24cf777dd30c (diff) | |
| parent | f679f55bf555d684976963753d9c9d43d59c0bf8 (diff) | |
Merge "Correct which type of PO has the _LOCK_TASK permission." into udc-dev
| -rw-r--r-- | services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java | 134 |
1 files changed, 103 insertions, 31 deletions
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java index 855734803c02..22966396063f 100644 --- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java @@ -11051,17 +11051,6 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return true; } - - private void enforceCanCallLockTaskLocked(CallerIdentity caller) { - Preconditions.checkCallAuthorization(isProfileOwner(caller) - || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); - - final int userId = caller.getUserId(); - if (!canUserUseLockTaskLocked(userId)) { - throw new SecurityException("User " + userId + " is not allowed to use lock task"); - } - } - private void enforceCanQueryLockTaskLocked(ComponentName who, String callerPackageName) { CallerIdentity caller = getCallerIdentity(who, callerPackageName); final int userId = caller.getUserId(); @@ -11089,6 +11078,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return enforcingAdmin; } + private void enforceCanCallLockTaskLocked(CallerIdentity caller) { + Preconditions.checkCallAuthorization(isProfileOwner(caller) + || isDefaultDeviceOwner(caller) || isFinancedDeviceOwner(caller)); + + final int userId = caller.getUserId(); + if (!canUserUseLockTaskLocked(userId)) { + throw new SecurityException("User " + userId + " is not allowed to use lock task"); + } + } + private boolean isSystemUid(CallerIdentity caller) { return UserHandle.isSameApp(caller.getUid(), Process.SYSTEM_UID); } @@ -14679,7 +14678,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { - enforcingAdmin = enforceCanCallLockTaskLocked(who, callerPackageName); + enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); } if (packages.length == 0) { mDevicePolicyEngine.removeLocalPolicy( @@ -14806,8 +14805,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (isPolicyEngineForFinanceFlagEnabled()) { EnforcingAdmin enforcingAdmin; synchronized (getLockObject()) { - enforcingAdmin = enforceCanCallLockTaskLocked(who, - callerPackageName); + enforcingAdmin = enforceCanCallLockTaskLocked(who, caller.getPackageName()); enforceCanSetLockTaskFeaturesOnFinancedDevice(caller, flags); } LockTaskPolicy currentPolicy = mDevicePolicyEngine.getLocalPolicySetByAdmin( @@ -22516,11 +22514,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { "manage_device_policy_microphone_toggle"; // DPC types + private static final int NOT_A_DPC = -1; private static final int DEFAULT_DEVICE_OWNER = 0; private static final int FINANCED_DEVICE_OWNER = 1; private static final int PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE = 2; private static final int PROFILE_OWNER_ON_USER_0 = 3; private static final int PROFILE_OWNER = 4; + private static final int PROFILE_OWNER_ON_USER = 5; + private static final int AFFILIATED_PROFILE_OWNER_ON_USER = 6; + // DPC types + @IntDef(value = { + NOT_A_DPC, + DEFAULT_DEVICE_OWNER, + FINANCED_DEVICE_OWNER, + PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE, + PROFILE_OWNER_ON_USER_0, + PROFILE_OWNER, + PROFILE_OWNER_ON_USER, + AFFILIATED_PROFILE_OWNER_ON_USER + }) + private @interface DpcType {} // Permissions of existing DPC types. private static final List<String> DEFAULT_DEVICE_OWNER_PERMISSIONS = List.of( @@ -22674,7 +22687,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { SET_TIME_ZONE ); - + /** + * All the additional permissions granted to a Profile Owner on user 0. + */ private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS = List.of( MANAGE_DEVICE_POLICY_AIRPLANE_MODE, @@ -22699,6 +22714,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { ); /** + * All the additional permissions granted to a Profile Owner on an unaffiliated user. + */ + private static final List<String> ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS = + List.of( + MANAGE_DEVICE_POLICY_LOCK_TASK + ); + + /** + * All the additional permissions granted to a Profile Owner on an affiliated user. + */ + private static final List<String> ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = + List.of(); + + /** * Combination of {@link PROFILE_OWNER_PERMISSIONS} and * {@link ADDITIONAL_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS}. */ @@ -22712,6 +22741,20 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { private static final List<String> PROFILE_OWNER_ON_USER_0_PERMISSIONS = new ArrayList(); + /** + * Combination of {@link PROFILE_OWNER_PERMISSIONS} and + * {@link ADDITIONAL_AFFILIATED_PROFIL_OWNER_ON_USER_PERMISSIONS}. + */ + private static final List<String> AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS = + new ArrayList(); + + /** + * Combination of {@link PROFILE_OWNER_PERMISSIONS} and + * {@link ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS}. + */ + private static final List<String> PROFILE_OWNER_ON_USER_PERMISSIONS = + new ArrayList(); + private static final HashMap<Integer, List<String>> DPC_PERMISSIONS = new HashMap<>(); { @@ -22724,6 +22767,16 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { // some extra permissions. PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); PROFILE_OWNER_ON_USER_0_PERMISSIONS.addAll(ADDITIONAL_PROFILE_OWNER_ON_USER_0_PERMISSIONS); + // Profile owners on users have all the permission of a profile owner plus + // some extra permissions. + PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_PERMISSIONS); + PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( + ADDITIONAL_PROFILE_OWNER_ON_USER_PERMISSIONS); + // Profile owners on affiliated users have all the permission of a profile owner on a user + // plus some extra permissions. + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll(PROFILE_OWNER_ON_USER_PERMISSIONS); + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS.addAll( + ADDITIONAL_AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); DPC_PERMISSIONS.put(DEFAULT_DEVICE_OWNER, DEFAULT_DEVICE_OWNER_PERMISSIONS); DPC_PERMISSIONS.put(FINANCED_DEVICE_OWNER, FINANCED_DEVICE_OWNER_PERMISSIONS); @@ -22731,6 +22784,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER_0, PROFILE_OWNER_ON_USER_0_PERMISSIONS); DPC_PERMISSIONS.put(PROFILE_OWNER, PROFILE_OWNER_PERMISSIONS); + DPC_PERMISSIONS.put(PROFILE_OWNER_ON_USER, PROFILE_OWNER_ON_USER_PERMISSIONS); + DPC_PERMISSIONS.put(AFFILIATED_PROFILE_OWNER_ON_USER, + AFFILIATED_PROFILE_OWNER_ON_USER_PERMISSIONS); } //Map of Permission to Delegate Scope. private static final HashMap<String, String> DELEGATE_SCOPES = new HashMap<>(); @@ -23108,22 +23164,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { if (mContext.checkCallingOrSelfPermission(permission) == PERMISSION_GRANTED) { return true; } - // Check the permissions of DPCs - if (isDefaultDeviceOwner(caller)) { - return DPC_PERMISSIONS.get(DEFAULT_DEVICE_OWNER).contains(permission); - } - if (isFinancedDeviceOwner(caller)) { - return DPC_PERMISSIONS.get(FINANCED_DEVICE_OWNER).contains(permission); - } - if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE).contains( - permission); - } - if (isProfileOwnerOnUser0(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER_ON_USER_0).contains(permission); - } - if (isProfileOwner(caller)) { - return DPC_PERMISSIONS.get(PROFILE_OWNER).contains(permission); + int dpcType = getDpcType(caller); + if (dpcType != NOT_A_DPC) { + return DPC_PERMISSIONS.get(dpcType).contains(permission); } // Check the permission for the role-holder if (isCallerDevicePolicyManagementRoleHolder(caller)) { @@ -23193,6 +23236,35 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub { return calledOnParent ? getProfileParentId(callingUserId) : callingUserId; } + /** + * Return the DPC type of the given caller. + */ + private @DpcType int getDpcType(CallerIdentity caller) { + // Check the permissions of DPCs + if (isDefaultDeviceOwner(caller)) { + return DEFAULT_DEVICE_OWNER; + } + if (isFinancedDeviceOwner(caller)) { + return FINANCED_DEVICE_OWNER; + } + if (isProfileOwner(caller)) { + if (isProfileOwnerOfOrganizationOwnedDevice(caller)) { + return PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE; + } + if (isManagedProfile(caller.getUserId())) { + return PROFILE_OWNER; + } + if (isProfileOwnerOnUser0(caller)) { + return PROFILE_OWNER_ON_USER_0; + } + if (isUserAffiliatedWithDevice(caller.getUserId())) { + return AFFILIATED_PROFILE_OWNER_ON_USER; + } + return PROFILE_OWNER_ON_USER; + } + return NOT_A_DPC; + } + private boolean isPermissionCheckFlagEnabled() { return DeviceConfig.getBoolean( NAMESPACE_DEVICE_POLICY_MANAGER, |